Controllerless Networks

last person joined: 23 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP with local EAP-TLS, not seeing Terminated-option

This thread has been viewed 0 times

  • 1.  IAP with local EAP-TLS, not seeing Terminated-option

    Posted Jul 05, 2018 04:55 AM

    Hi,

     

    I'm trying to configure client certificate authentication with IAP only, as we don't have (and not going to have) RADIUS-server. 

     

    We have +20 APs, IAP-315 running 6.5.4.7 firmware.

     

    First problem: There's no Termination option in security settings. Per user guide and this https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/MCGeneratedPopups/Popup_-2140548310.htm it should be there.

    Snip20180705_1.png

     

    Second problem: when trying to upload certificate, it gives an error saying "The file xyz.pem was not uploaded because it is not a properly formatted certificate file."

    It looks like this: 
    -----BEGIN CERTIFICATE-----
    MIIDtTCCAp2gAwIBAgIJAKXYlS8PLR6ZMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
    . . . LINES . . . .
    wnzNiNncyuHoya1ko8F/0hK0y/PaXriLSC/rmSG71X+P5yZji9wx0xc=
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEA3SH70yCOJusRaLJ1rRm2Qd/xOHbnHvt5ZUnRUqqijn45CJYL
    . . . LINES . . . .
    axvp9SaUE1Q4pKPwoX7fjnm++NvNZudki5OAKLHWUJYrjKwtGXldeA==
    -----END RSA PRIVATE KEY-----

     

    I've read a lot of topics from this forum and tried this and that, but can't get it working. 

    Atleast this is similar situation than mine.

     

    Any help appreciated :) 



  • 2.  RE: IAP with local EAP-TLS, not seeing Terminated-option

    EMPLOYEE
    Posted Jul 06, 2018 09:31 AM

    The internal server always uses EAP Termination, you can check and if you select an external server the option is displayed, for internal server it is left out as there is no other option.

     

    Also, from the user guide:

    Supported EAP Authentication Frameworks

    The following EAP authentication frameworks are supported in the Instant network:

    EAP-TLS—The EAP-TLS method supports the termination of EAP-TLS security using the internal RADIUS server. The EAP-TLS requires both server and CA certificates installed on the Instant AP. The client certificate is verified on the virtual controller (the client certificate must be signed by a known CA) before the username is verified on the authentication server.

    (removed other options)

    To use the Instant AP’s internal database for user authentication, add the usernames and passwords of the users to be authenticated.

     

    For the certificate import, make sure you select the right type (Authentication Server). Concatenating the key and certs like you did should work fine. It might be that a message is logged in the AP system (or security) log that tells why the certificate wasn't imported.